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Abstract — We propose a new, efficient non-deterministic de- 
coding algoritlim for square-free Goppa codes over F,, for any 
prime p. If the code in question lias degree t and tlie average 
distance to tlie closest codeword is at least (4/p)f+ 1, the proposed 
decoder can uniquely correct up to (2/p)t errors with high 
probability. The correction capability is higher if the distribution 
of error magnitudes is not uniform, approaching or reaching t 
errors when any particular error value occurs much more often 
than others or exclusively. This makes the method interesting 
for (semantically secure) cryptosystems based on the decoding 
problem for permuted and punctured Goppa codes. 

Index Terms — Algorithms, Cryptography, Decoding, Error cor- 
rection 



I. Introduction 

PUBLIC-KEY cryptosystems based on coding theory, 
known for nearly as long as the very concept of asymmet- 
ric cryptography itself, have recently been attracting renewed 
interest because of their apparent resistance even against 
attacks mounted with the help of quantum computers, consti- 
tuting a family of so-called post-quantum cryptosystems UJ. 
However, not all error-correcting codes are suitable for cryp- 
tographic applications. The most commonly used family of 
codes for such purposed is that of Goppa codes, which 
remain essentially unharmed by cryptanalysis efforts despite 
considerable efforts and progress in the area. 

Introduced in 1970, Goppa codes [2| are a subfamily of 
alternant codes, i.e. subfield subcodes of Generalized Reed- 
Solomon codes. Let q = p'" for some prime p and some m > 0. 
A Goppa code r(L,g) over is determined by a sequence 
L e of distinct values, and a polynomial g e ¥g[x] of degree 
t := degig) whose roots are disjoint from L. Goppa codes have 
by design a minimal distance at least f -i- 1 by virtue of being 
alternant. Certain codes are known to have better minimum 
distances than this lower bound. Thus, binary Goppa codes 
where g is square-free are known to have a larger minimum 
distance of at least 2t + I instead. A family of codes where g 
is not square-free have minimum distance at least t + j-l for 
some 2 < y < f - 1 , which is known as the Hartmann-Tzeng 
bound for Goppa codes |3|, 14|. 

The class of Sugiyama-Kasahara-Hirasawa-Namekawa 
codes [5] where g - /i''"' for some square-free monic poly- 
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nomial h e F^[x] and some power r of p dividing q, which 
constitute a proper superclass of the so-called "wild" codes 
where h is restricted to being irreducible [6 |, have minimum 
distance at least rdeg(/i) -i- 1 rather than (r - l)deg{h) + 1. 
Although it is known that the minimum distance of a Goppa 
code of degree t is at least t + 1 and there are known cases 
where it is higher (up to 2f -H 1, as it happens for binary 
square-free Goppa codes), systematically determining the true 
minimum distance of any given subfamily of Goppa codes 
remains largely an open problem, yet it is an important metric 
as it determines not only how many errors can always be 
uniquely corrected, but indirectly the security level and the 
key sizes of the cryptosystems based on each given code. 

Apart from brute force, known decoding methods for alter- 
nant codes can in general correct only about half as many 
errors as a binary square-free Goppa code is in principle 
able to correct Q, JS] (see also (j9|)- Even the Guruswami- 
Sudan algorithm lITOl . which exceeds the f/2 limit, can only 
correct about n - -\/n{n - t) ^ f/2 + {t/2)^/(2n - t) errors. In 
contrast, Patterson's algorithm can correct all t design errors 
of binary Goppa codes, as can an alternant decoder using the 
equivalence Y{L,g) - T{L,g^) albeit at a larger computational 
cost. Bernstein's list decoding method [11 1 goes somewhat 
further, attaining a correction capability of n- yjnin -2t -2) x 
t + 1 + (t+ l)^/2(n - t - 1) errors for binary irreducible Goppa 
codes, although decoding is ambiguous if the actual distance is 
not proportionally higher Similar techniques can in principle 
correct about n- V«(« - rt) x rt/2 + {rt/2)^/(2n-rt) errors for 
wild codes Bernstein's method does not reach the q-ary 
Johnson radius, but a more recent algorithm by Augot et al. 
does so in the binary case lil2J . 

A. Our Results 

Our contribution in this paper is a non-deterministic de- 
coding algorithm for square-free Goppa codes over ¥p for any 
prime p. The method generalizes Patterson's approach and can 
potentially correct up to (2 / p)t errors, on the condition that a 
suitable short vector can be found in a certain polynomial 
lattice. In particular, our method corrects (2/3)f errors in 
characteristic 3, exceeding the f/2 barrier when the average 
distance to the closest codeword is at least (4/3)f -i- 1. In 
experiments conducted to assess the practical behaviour of 
our proposal, the result of the decoding is observed to be 
unique with overwhelming probability for irreducible ternary 
Goppa codes chosen uniformly at random, hinting that, for 
the vast majority of such codes, the average distance to 
the closest codeword is sufficiently higher than the ensured 
minimum distance. Besides, our proposal can probabilistically 
correct a still larger number of errors that approaches and 
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reaches t depending on the distribution of error magnitudes. 
For instance, the method corrects up to t errors with high 
probability if all error magnitudes are known to be equal. 

This feature outperforms even Sugiyama-Kasahara- 
Hirasawa-Namekawa and wild codes and the associated 
decoding methods, and is particularly interesting for 
cryptographic applications like McEliece encryption llT3l 
under the Fujisaki-Okamoto or similar semantic security 
transform |14|, where error magnitudes can be chosen by 
convention to be all equal. In that case, even if an attacker 
could somehow derive a generic alternant decoder from 
the public code that is typical in such systems (a strategy 
exploited e.g. in ifTSl ). he will not be able to correct more 
than about f/2 errors out of roughly t that can be corrected 
with the private trapdoor enabled by our proposal, facing 
an infeasible workload of about {p - l)(,"2)/(//2) guesses to 
mount a complete attack. This makes Goppa codes in odd 
characteristic, which have already been shown to sport some 
potential security advantages over binary ones [16|, even 
more attractive in practice. 

For the benefit of implementors, we describe a dedicated 
version of the Mulders-Storjohann algorithm to convert the 
particular lattice basis encountered during the decoding pro- 
cess to weak Popov form. The computational complexity of 
this step is then shown to be Oip^fi). 

B. Organization of the Paper 

The remainder of this document is organized as follows. We 
provide basic notions in Section|ll] We recapitulate Patterson's 
decoding algorithm for binary irreducible Goppa codes in Sec- 
tion [nil and extend it to square-free codes in characteristic p 
in Section HYI showing that it can correct (2//?)f errors in 
general and up to f errors depending on the distribution of 
error magnitudes. We conclude in Section |V] 

II. Preliminaries 

Matrix indices will start from throughout this paper, unless 
otherwise stated. Let /? be a prime and let q - p"' for some 
m > 0. The finite field of q elements is written F^^. For 
sequences of elements {g],...,g,) € F^, (Lq, . . . ,L„_i) e F^ 
and (do, . . . , d„^i) € F'^ for some t,n € N, we denote by 
toep(gi, ■ . ■ ,g,) the f X f Toeplitz matrix with elements Tjj := 
gt-i+j for j < / and Tij := otherwise; by vdm,(L(), . . . , L„_i) 
the t X n Vandermonde matrix with elements V,-, := L' , 
< / < f, < j < n; and by diag(iio, . . . ,d„-\) the diagonal 
matrix with diagonal elements D jj :- dj, < j < n. 

A. Error Correcting Codes 

Let L = (Lq, . . . , L„_]) e FJJ be a sequence (called the 
support) of « < ^ distinct elements, and let g e ¥q[x] be an 
irreducible monic polynomial of degree f such that g(Li) + 
for all /. For any word e e F"^ we define the corresponding 
Goppa syndrome polynomial Sg e F^[jc] to be: 



Thus the syndrome is a linear function of e. The [«, > n - 
mt, > f + 1 ] Goppa code over F^ with support L and generator 
polynomial g is the kernel of the syndrome function applied 
to elements from Fp, i.e. the set V{L,g) := {e e F^^ | Sg = 
mod g]. 

Writing Sgix) :- 2; for some s e F'^, one can show that 
= He^ where the parity-check matrix H has the form 

H = toep(g !,...,§,) 

• wAm,{LQ,...Ln-i) (1) 

• diag(g(Lor g(L„-iri) 

Thus H = TVD e F^^", where T e F;,^' is a Toeplitz matrix, 
V € F'f" is a Vandermonde matrix, and D € F"^" is a diagonal 
matrix. 

Since a Goppa code is a Fp-subfield subcode, it is possible 
to express the syndrome function in terms of a parity-check 
matrix H e F™'^" using the so-called trace construction (see 
e.g. |9 Ch. 7, § 7]). This is useful to obtain a syndrome 
s e F"' equivalent to s G F^^ above while keeping the 
arithmetic operations in Fp rather than F^, even though it is not 
immediately useful for decoding, at which point a syndrome 
over F^ has to be assembled by inverting the trace construction. 

The syndrome decoding problem consists of computing the 
error pattern e given its syndrome Se- Knowledge of the code 
structure in the form of the support L and the polynomial g 
makes this problem solvable in polynomial time, with some 
constraints relating the weight of e to the degree of g. 

B. Polynomial Lattices 

Let A G F^[x]"^'" be a polynomial matrix, and let r denote 
its rank (i.e. assume that A has r linearly independent rows). 
The (polynomial) lattice A(A) over F^[x] spanned by the rows 
of A is 

A(A) = {(Mo, . . . , M„_l)A 6 F,[x]"' I (Mo, . . . , M„_l) G F,[x]"). 

The notion of length which we will use for / G F^ [x\ is |/| = 
deg(/). For polynomial vectors v G F^[x]" we adopt the notion 
of maximal degree length: |v| - max,- |y,|. This notion is coarse 
enough that, contrary to integer lattices where finding even an 
approximation to the shortest vector by a constant factor is a 
hard problem fVf\, reducing a basis for a polynomial lattice 
can be achieved in polynomial time. The following result by 
Mulders and Storjohann holds iflSl : 

Theorem 1. There exists an algorithm which finds the shortest 
nonzero vector in the ¥q[x]-module generated by the rows of 
A with 0{mnrd^) operations in Fg, where d — max{deg(Ay) | 
1 < / < n, < 7 < m}. 

The algorithm whose existence is established by Theorem [T] 
is based on converting a given lattice basis to the so-called 
weak Popov form, formally defined in Appendix lAl which also 
contains a description of Algorithm |2] and its cost behavior in 
the context of decoding. 

The weak Popov form is not the only way to find short 
vectors in a polynomial lattice, and in fact this is not critical to 
our proposal in this paper; for instance, the method by Lee and 
O' Sullivan lfT9l . which is related to Grobner bases, would ap- 
pear to be an alternative. Our choice of the Mulders-Storjohann 
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method, which computes the weak Popov form, derives from 
its conceptual simpHcity and ease of implementation, since the 
result turns out to be a natural generalization of Patterson's 
decoding algorithm described in the next section. 

III. Patterson's Decoding Method 

We briefly recapitulate Patterson's decoding algorithm ll20]| . 
which will provide the basis for the general algorithm we 
propose. The goal, of course, is to compute the error pattern 
e given its syndrome Sg and the structure of Y(L,g). 

Let q-2'", and assume we are given a binary Goppa code 
r(L, g) where the monic polynomial g is irreducible. We define 
the Patterson locator polynomial cr e Vq[x\ as: 

cr(x):=[](x-L,). (2) 

e, = l 

The name locator polynomial comes from the fact that the 
roots of cr clearly indicate where errors occurred, since 
cr(Lj) - Q <^ Cj - \. Taking the derivative of the formal 
power series underlying cr, we obtain 

(r'{x) = 2]~[(x-L,) 

c, = l e,= l 

= cr(x) y — 

and hence, in ¥q[x\lg{x), 

o-\x) - (r{x)se{x) mod g{x). (3) 

This is called the key equation, and now we discuss how to 
solve it. 

Being a polynomial in characteristic 2, cr(x) modulo g(x) 
can be written as 

cr(;ic) — ao{x)^ + xa\{x)^ 

for some aoix), a\{x) with deg(flo) < Lf/2J and deg(ai) < 
L(f- 1)/2J, and hence 

cr'(jc) = 2aQ{x)a'f^{x) + ai(x)^ + 2ai{x)a\{x)x — ai{x)^, 

since the characteristic is 2. Therefore 

a\{x)^ — o-'{x) — o-{x)se{x) 

- (aoW^ + xaiix)^^ Se{x) mod g{x), 

whence 

aoix) - ai{x)v(x) mod g(x) (4) 

where v{x) is a polynomial satisfying v{xY - x + llseix) 
mod g{x). Such a polynomial surely exists in characteristic 2 
if g{x) is square-free: if g{x) - Y\igi{x) where each gi{x) is 
irreducible, then v{x) mod gi{x) can be computed as a square 
root of x+\l Se{x) mod gi{x) viewed as an element of the finite 
field ^qix}! giix), and v{x) mod ^(jt:) can then be obtained by 
combining the results via the Chinese Remainder Theorem. 
We can thus assume that deg(v) <t- deg(g). 



The last equation is actually a Bezout relation a^ix) - 
fli(ji:)v(ji:) + A{x)g{x), which can be solved for aoix) and a\{x) 
with the restriction deg(ay) < L(f-y)/2J (and also A(x) but it is 
not used) using the extended Euchdean algorithm. Solutions 
fli) can also be seen as short vectors in the lattice spanned 
by the rows of the following matrix: 



in the sense that the degrees of these polynomials are much 
smaller than uniformly random vectors, since {A,a\)A - {Ag + 
aiv, fli) = {aQ,a\) for some A e F^[x], by virtue of Equation|4] 
Therefore, Algorithm |2] can be used to find candidate solutions 
(ao,fli)- 

At first glance there is no guarantee that a short vector in 
the lattice generated by A yields the desired solution; in other 
words, being short is a necessary condition, but in principle 
not a sufficient one. However, the fact that in the binary case 
the minimum code distance is known 12 to be at least 2f + 1 
actually restricts cr to a single candidate, so that Algorithm |2] 
is bound to find it. Thus, decoding is always successful up to 
t introduced errors. 

IV. Decoding Codes over Fp 

We now show how to generalize Patterson's decoding al- 
gorithm so as to correct errors for codes defined over general 
prime fields. Thus, let q - p'" for some prime p and some 
m > 0, and assume we are given an irreducible Goppa code 
r{L,g) over F^. 

Let (p & Fp \ {0) be a constant scalar. We define the 
generalized error locator polynomial to be 

cr4x):^Y](x-Ld'^''^ (5) 

where the value ej/<p is lifted from ¥p to Z (i.e. the value 
ei/ip 6 ¥p that occurs as an exponent is taken to mean its 
corresponding least non-negative integer representative, which 
lies in range . . . /:> - 1). One can easily see that this definition 
actually coincides with Patterson error locator polynomials as 
defined by Equation |2] for p - 2. Lifting Equation |5] to the 
field of rational functions in characteristic and taking the 
derivative, we have 

cr'^ix) = ^(e,/0)(x-L,)"'/^-'[](x-L,.r/^ 

j '*j 

j ■' 

which over ¥g[x] reduces to 

(po-'^(x) = o-0(x)se(x) mod g(x). (6) 

This is the ^-th key equation of the proposed method, which 
generalizes Equation [3] to Goppa codes over Fp. The actual <p 
must be chosen so as to minimize the degree of cr^ (and hence 
maximize the number of correctable errors). One cannot expect 
to know a priori the value of <p, but since there are only p - I 
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possibilities, the error correction strategy will be to try each 
of them in turn. 

Notice that the maximum number of correctable errors can 
be, and usually is, less than t, since the degree of cr^ exceeds 
the number of roots in the presence of multiple roots. The 
following theorem provides an upper bound for how many 
errors can be corrected by solving Equation when the 
distribution of error magnitudes is not taken into account. 

Theorem 2. The maximum number of errors that can be cor- 
rected by solving Equation |6| independently of the distribution 
of error magnitudes is w — (2/ p)t. 

Proof: Let w,, denote the number of times the magnitude 
V occurs in an error pattern of weight w, so that Y^v^v = w. 
Since we are working with a Goppa code, the constraint for 
correctability is deg(o-^) = Ei'(^/0)'^v' ^ I" the extreme 
situation when the weight of the error pattern reaches w, the 
most often error magnitude occurs Wmax > w/(p - 1) times, 
attaining the lower bound when all error magnitudes occur 
with equal frequency. In that case, dtg{cr^) < Hi- (^/0)'^max = 
(1 + 2 + ■■■ + (/? - l))w/(p - 1) = wp/2 < f, and hence no more 
than errors than w - {2/p)t can be corrected independently of 
the distribution of magnitudes, as claimed. ■ 

Since the proposed method coincides with Patterson's for 
/7 = 2, it is not surprising that t errors can be corrected in that 
case. However, in characteristic 3 the number of potentially 
correctable errors is (2/3)f, non-deterministically exceeding 
the limit of f/2 errors attainable by previously known decoding 
methods for codes of degree f, except in the case of so called 
"wild codes" |6| whereby the Goppa polynomial is a (/?- l)-th 
power of an irreducible polynomial (our method, by contrast, 
applies when that polynomial is square-free, as we will see in 
Section HV^ . 

Despite the low general limit of (2/p)t correctable errors 
for p > 3, it is still possible to exceed that limit in any 
odd characteristic if the distribution of error magnitudes is 
unbalanced. Indeed, all that is required to get a chance of 
uniquely decoding a word containing w < f errors is that 
deg(cr^) < t for some choice of and that the actual distance 
from the right codeword to any other codeword be at least 
2w + 1. 

The actual number of correctable errors depends heavily on 
the distribution of error magnitudes and has to be computed 
in a case-by-case basis, always laying in the range {2/p)t to 
f. In particular, if all error magnitudes are equal, in principle 
one could correct t errors, even though this is a statistical 
rather than deterministic behavior This is especially use- 
ful for cryptographic applications involving an all-or-nothing 
transform [21], as it happens e.g. for a semantically secure 
encryption scheme involving the McEliece one-way trapdoor 
function [13| and the Fujisaki-Okamoto conversion 114|. In 
such scenarios, the magnitudes of the introduced errors can be 
chosen to be all or nearly all equal by convention, making the 
proposed decoder attractive for its higher decodability bound, 
under the explicit assumption that decoding them remains 
hard. 



A. Solving the Key Equation 

We now focus on actually solving Equation |6] Being a 
polynomial in characteristic p, cr^(x) can be written as 

p-i 

cr^(x) = 2x%(xr (7) 

k=0 

for some a^ix) with degCa^:) < Kt - k)lp\, < ^ < p - 1, and 
hence 

p-\ 

P-I 



J^kx'-'ak(x)P 



k=l 



since the characteristic is p. Therefore 

p-i 

cpY.kx'-'adxy 



4>cr'^(x) = a-^(x)se(x) 



k=l 



,k=0 



Se(x) mod g(x). 



whence 



p-1 



ao + ^ ak(x)vk(x) - mod g(x) 



(8) 



<:=1 



where the Vk(x) are polynomials satisfying Vkix)'' 



(pkx I Se{x) mod g(x). Such polynomials surely exist in 
characteristic p if g{x) is square-free: if g{x) = YliSiM where 
each gi{x) is irreducible, then Vk(x) mod gi(x) can be computed 
as a p-th root of - (pkx''^^ / s^x) mod gi(x) viewed as an 
element of the finite field Fq[x]/gi(x), and Vk(x) mod g{x) can 
then be obtained by combining the results via the Chinese 
Remainder Theorem. We can thus assume that deg{vk) < t - 
deg(g). 

The Diophantine equation [8] has to be solved for ak{x) 
with the stated restriction on their degrees. Solutions 
{ao,a\, . . . ,ap-\) can be seen as short vectors in the lattice 
spanned by the rows of the matrix 

g ... 
-vi 1 ... 
-V2 1 ... 



-v,,-x 



1 



(9) 



since, by virtue of Equation |8] one has {A,ai,. 



,ap-\)Aip - 

iM - YJ'kJxak{x)vk{x),ai,...,ap^i) = (ao,ai,---,flp-i) for 
some A e F^[jic]. Therefore, Algorithm |2] can be used to find 
candidate solutions (oo, . . . , Op-i). 

The method is applicable whenever one can actually invert 
s mod g and then compute the /9-roots needed to define the 
Vk polynomials. This is always the case when g is irreducible, 
but not exclusively so. Indeed, to compute the Vk it suffices 
that g is square-free and that s is invertible modulo each of 
the irreducible factors of ?, since in this case the Vk can be 
easily computed modulo those irreducible factors and finally 
recovered via the Chinese Remainder Theorem. 

Theorem [U ensures a cost not exceeding 0{p^t^) opera- 
tions for computing short vectors in A(A^). 
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B. Estimating the Success Probability 

Regrettably the ability to find shorts vectors in lattice M.A^) 
does not mean that any such vector yields a solution to 
Equation |6] We will now see that, fortunately, the proposed 
method has a surprisingly favourable probability of finding the 
right (flo, • ■ ■ ,cip-\) that solves Equation |6] 

As a cautionary note, we stress that a full theoretical 
analysis of the failure probability remains, to the best of our 
knowledge, an open problem. Because the distance notion here 
is not Euclidean, but rather that of Hamming, Minkowski's 
theorem on the existence of a lattice point in any large 
enough convex set does not appear to apply in our case. 
Also, the analysis would also appear to require a detailed 
theory on the distribution of the average distance between 
a vector and the closest codeword whose magnitudes satisfy 
some constraint (like being all equal, or following a highly 
skewed distribution), which to the best of our knowledge is 
too an open problem. As a consequence, the failure probability 
estimates we provide are conjectured on an empirical basis. 
Namely, they result from experiments conducted on a large 
number of random Goppa codes at which our decoding method 
is targeted, and for each of those codes, on a large number 
of decoding attempts on random error patterns following the 
particular magnitude constraint (equal for all error positions) 
for which the decoder works best. 

In a successful decoding, the reduced basis for lattice MA^) 
leads to candidates for cr^ with degree f onward, of which 
of course only the candidate with the smallest degree is the 
correct one. Spurious candidates of degree close to t result 
from random-looking short (albeit not shortest) vectors in the 
reduced basis and are usually harmless. But the fact that those 
short vectors are "random-looking" means they are also a 
threat: if by chance they are such that the coefficient of the 
highest-degree term in the associated spurious cr^ vanishes, 
dtgicr^) becomes t or less. Since this is connected with the 
vanishing of a coefficient from ¥q, this event happens with 
probability \lq assuming that short spurious vectors in MA^f,) 
are approximately uniformly distributed. 

In general, when trying to correct w < t errors of equal 
magnitude for a uniformly random irreducible Goppa code, 
the top t+\-w coefficients in the spurious cr^ must vanish to 
interfere with the decoding process, whence the probability of 
successful decoding is roughly 1 - 1/^'^'""'. This matches the 
empirically observed behaviour of the proposed method in odd 
characteristic. Not surprisingly, the method always succeeds 
for binary codes, since it reduces to Patterson's algorithm and 
the minimum code distance is known to be at least 2t + I. 

Table U illustrates the results of experiments in Magma [22] 
supporting the conjecture that the probability of successful 
decoding is roughly Pisuc 1 ^ For each quadruple 

(p,m,t,w), a set of 10000 Goppa codes of maximum length 
n = p'" and degree t plus an error pattern of length n, 
weight w and all magnitudes equal (to a single random 
value in \ {0)) were randomly generated, and the proposed 
method was then applied to decode the syndrome of that error 
pattern. The predicted number of successful decodings, Npre, 
is then compared with the actually observed number Nobs of 



successful decodings. For each combination of p and m, the 
first listed f is the largest integer satisfying - mt > 0. 
The number w of introduced errors in then decreased starting 
from t until the probability of success exceeds 0.9999. Since 
Pisiic is close to 1 for large q, reasonably small values are 
chosen for all parameters so that the probability of decoding 
failure is large enough to be easily discernible. This is also 
the reason why more detail is provided for smaller parameters. 
We omit the results for characteristic 2, since in all tests we 
conducted no decoding failure was observed, as expected. We 
stress that these examples are not meant by any means for 
practical cryptographic use. 

TABLE I 

Experimental assessment of the probability of decoding success 



p 


m 


t 


w 


Pr 

^ '-sue 


N 

' • pre 


Nobs 


3 


3 


8 


8 


0.962963 


9630 


9670 


3 


3 


8 


7 


0.998628 


9986 


9992 


3 


3 


8 


6 


0.999949 


9999 


9999 


3 


3 


7 


7 


0.962963 


9630 


9639 


3 


3 


7 


6 


0.998628 


9986 


9989 


3 


3 


7 


5 


0.999949 


9999 


10000 


3 


3 


6 


6 


0.962963 


9630 


9645 


3 


3 


6 


5 


0.998628 


9986 


9991 


3 


3 


6 


4 


0.999949 


9999 


10000 


3 


4 


20 


20 


0.987654 


9877 


9883 


3 


4 


20 


19 


0.999848 


9998 


9997 


3 


4 


20 


18 


0.999998 


10000 


10000 


5 


2 


12 


12 


0.960000 


9600 


9612 


5 


2 


12 


11 


0.998400 


9984 


9985 


5 


2 


12 


10 


0.999936 


9999 


10000 


5 


3 


41 


41 


0.992000 


9920 


9924 


5 


3 


41 


40 


0.999936 


9999 


10000 


7 


2 


24 


24 


0.997085 


9971 


9989 


7 


2 


24 


23 


0.999992 


9999 


10000 


11 


2 


60 


60 


0.991736 


9917 


9922 


11 


2 


60 


59 


0.999932 


9999 


9999 



Decoding w < (2/p)t errors of uniformly random magnitude 
for a uniformly random irreducible code is of course always 
successful for p > 3, since in that case w does not exceed 
half the minimum code distance, which is at least f -i- 1 > 
(4/p)t+ l>2w+l. 

C. Computing the Error Magnitudes 

In contrast to generic alternant decoding methods, there is 
no need to compute an error evaluator polynomial to obtain 
the error magnitudes in the current proposal. After obtaining 
cr^ix) and finding its roots Lj, all that is needed to compute the 
corresponding error values ej is to determine the multiplicity 
fij of each root, since one can see from Equation |5] that ej - 
(f>fij. 

Computing fj.j is accomplished by determining how many 
times (x - Lj) \ cr^{x) whenever <T^(Lj) = 0, or alternatively 
by finding the highest derivative of cr^ such that a-^^'\Lj) - 
(and setting jjj «— h). 

Since the value of <p is not known a priori, and even in 
scenarios where it is actually known beforehand, an additional 
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syndrome check is necessary for each guessed 0, and the 
process usually must check all possible values of (p anyway 
since more than one solution may exist. 

D. The Completed Decoder 

We are finally ready to state the full decoding method 
explicitly in Algorithm[T] It can be seen as a list decoding algo- 
rithm with possible failures. The polynomial decomposition of 
Equation |7] immediately suggests a simple and efficient way to 
compute the p-\h roots needed at Step |9] namely, precompute 
r(x) <— mod g(x) and r(x)* mod g{x), and then compute 
the p-th root of z{x) :- 'Zk^'^^kix)'' as ^z{x) mod g(x) <— 
Yjk f(x)''zk{x). The test in Step |2] is unnecessary if g is 
irreducible. To find the zeroes of cr^ in Step|2T]one can use the 
Chien search technique (23], in which case the multiplicities 
of each root can be determined as part of the search, or the 
Berlekamp trace algorithm ll24l . 

V. Conclusion 

We described a new decoding algorithm for square-free 
(in particular, irreducible) Goppa codes of degree f over 
that can correct (2/p)t errors in general, and up to t errors 
for certain distributions of error magnitudes of cryptographic 
interest. By attaining an correction capability of (2/3)t errors 
in characteristic 3 with high probability, our method out- 
performs the best previously known decoder for that case, 
and suggests that the corresponding average distance to the 
closest codeword is at least (4/3)f + 1 for most irreducible 
ternary Goppa codes. Regardless of the characteristic, our 
proposal can correct a still larger number of errors that 
approaches (and probabilistically reaches) t as the distribution 
of error magnitudes becomes ever more skewed toward the 
predominance of some individual value. The method can be 
viewed as generalizing Patterson's binary decoding procedure, 
and is similarly efficient in practice. 

A further increase in the number of correctable errors may 
be possible by resorting to list decoding and by extracting 
more information from the decoding process along the lines 
proposed by Bernstein ifTTl . This in principle might enable 
the correction of approximately n - -\Jn(n - (4/ p)t) errors in 
general, and possibly as many as n - Vn(n -2t -2) errors 
depending on the distribution of error magnitudes. Further- 
more, the ability to correct close to t errors with high prob- 
ability means that smaller keys might be adopted for coding- 
based cryptosystems. Properly chosen parameters would keep 
the probability of decoding failure below the probability of 
breaking the resulting schemes by random guessing, while 
maintaining the security at the desired level. We leave the 
investigation of such possibilities for future research. 
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Appendix A 
The Weak Popov Form 

For ease of reference, we provide here a concise description 
of the Mulders-Storjohann polynomial lattice reduction algo- 
rithm based on the weak Popov form. We closely follow the 
exposition in ifTSl . while attempting to make our description 
more implementation-friendly. 

Definition 1. For \ ^ i ^ n the /-th pivot index vector l'^ of 
a matrix M e F^[x]"^'" is defined as follows: if Mij — Q for all 
1 < 7 < m, then if' — 0, otherwise 

1) deg(M,v) < deg(M,.,,«)/or 1 < ; < /f, 

2) degiMij) < deg(M,.,M)/or /f < ; < m. 

Definition 2. The carrier set C'^ of a matrix M e F^[ji:]"^"' 
is the set {1 ^ i ^ n \ if 0). The i-th pivot element of 
M, denoted Pf, is the element Pf M,jm when if + 0, 
otherwise Pf :— 0. 

Definition 3. A matrix M e F^[x]"^'" is said to be in weak 
Popov form if the positive pivot indices of M are all different, 
i.e. ifMkJeC^ -.k + t^ If If. 

The following theorem establishes that writing a matrix in 
weak Popov form yields short vectors in the lattice spanned 
by its rows. 

Theorem 3 ( flSl). If matrix M e F^[x]"^"' is in weak Popov 
form and I is such that deg{Pf) = mini^,-^„{deg(f f^)), then 



all vectors in the ¥q[x'\-module generated by the rows of M 
have degree at least A&giPf). 

Proof: See fW, Lemma 8.1]. ■ 
IfkeC'^J + k and deg(Mf ;«) > deg(Pf ), there are unique 
c e¥q and e € N such that deg(M^_/M - cx"Pf) < Ae,g{MijM). 
In that case we call the operation Mf <— Mi — cx^Mk the 
simple transformation of row k on row (. If if - if, the 
transformation is called of the first kind. Then an efficient 
algorithm to put a matrix in weak Popov form stems from the 
following observation: 

Theorem 4 ( lHH). M e ¥q[x]"^"' is not in weak Popov form 
iff one can apply a simple transformation of the first kind on 
M, that is, not all non-zero pivot indices of M are different. 

Proof: See HS] Lemma 2.1]. ■ 
Therefore, all one has to do to obtain the weak Popov form 
of a matrix M is to repeatedly check if M is already in the 
weak Popov form (by testing if all nonzero pivot indices are 
different) and, if it is not, apply a simple transformation of the 
first kind on it. 

This process is summarised in Algorithm |2] for a matrix in 
the form of Equation |9] where n - m - p, the expected rank 
is r < and the degree of all rows is bounded by c/ < f. By 
Theorem [T] its complexity is 0{p^t^) Fq operations at most. 
Here lead(P) denotes the leading coefficient of P e ¥g[x] and 
rep(/'^) denotes the number of occurrences of the most frequent 
value among the nonzero components of I^, i.e. rep(/'*) : = 
max{#{y | = y) | v 9^ 0). 

Written in this form. Algorithm |2] is strikingly similar to 
the modified Euclidean algorithm usually employed in the 
decoding of alternant codes [,8J, and actually coincides with 
that method for p - 2. 



Algorithm 2 Computing the weak Popov form 

Input: A e ¥q[x]''^'' in the form of Equation |9] 
Output: weak Popov form of A. 



1: > Compute /'*: 

2: for ; <— 1 to /? do 

3: Ij «- if deg(Ayj) > then 1 else 

4: end for 

5: > Put A in weak Popov form: 

6: while rep(/'*) > 1 do 

7: for <- 1 to p such that if do 

8: for ^ «— 1 to p such that t + k Ao 

9: while deg(Af_//i) > deg{A^i.\) do 

10: c <- lead(A cja)I lead(A i^ja ) 

11: e <- deg(Af M ) - deg(Ai m ) 

' /; 'A: 

12: Af <— Af - cx'^Ak 

13: end while 

14: > Update if and hence xep{I^) if necessary: 

15: d<^ max{deg(Af j) | J = 1 , . . . , /?) 

16: If ^ max{; | deg(Afj) = d} 

17: end for 

18: end for 

19: end while 

20: return A 
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Appendix B 
Decoding Other Families of Codes? 

For completeness, we briefly discuss whether and how one 
might attempt to use similar methods to decode a diff'erent 
family of alternant codes, including BCH codes and their 
permuted and/or punctured versions. 

Let L G be a sequence of « < ^ distinct nonzero 
elements, let D € be a sequence of nonzero elements, and 
let H - vdm(L) diag(D). For any word e e F^ we define the 
corresponding alternant r-syndrome polynomial Se 6 F^[x] to 
be Se{x) :- YJ^iZo ^ix' where := He^, i.e. 

n-l 

The alternant code ^{L, D, r) consists of the set {e e F"^ | 
sjx) = 0). 

Using the formula for the sum of a geometric sequence 
Z'il^ u' = (1 -^^/(l -«) whereby Z-Zo L'.x' = (1 - 
xLj) = 1/(1 - xLj) mod x'', one can see that 

r-l n-l n-l r-l 

n-l ,\ 

mod . 



-x'-U.)l (1- 



1=0 



i=0 



1 -xL, 



The subfamily we will be interested in is that of alternant 
codes satisfying the restriction :- Dj/Lj e F^ \ {0) for all j, 
so that each value can be lifted to Z with a representative 
in range 1 1 . 

Let (p e ¥p \ {0} be a constant scalar We define the 
generalized error locator polynomial for this family as 

cr^(x):^Y\^l~xLiY-^-'t (10) 



is that the error magnitudes are computed as a function of the 
multiplicity fij of a root l/Lj of cr^ as ej = ^jjj/^j. 

Writing cr^{x) = 2i=o x'^^kix)'' for some a^ix) with 
deg(flt) < [('" - k)/pi, solutions to Equation [TT] can be found 
as short vectors (ao, oi, . . . , flp_i) in the polynomial lattice 
spanned by the rows of the matrix 

x' ... 



-Vi 



Vp-i 



1 











1 



where the v^ix) are polynomials satisfying Vk(xy - x - 
^kx'^^^ I Se{x) mod x'', provided that these exist. 

Here the major obstacle for this technique becomes appar- 
ent: inverting Seix) mod x'' is usually fine, but computing the 
Vk{x) polynomials is only very seldom possible. Specifically, 
assuming that - <pkx''^^ / Se(x) mod x'' are uniformly dis- 
tributed polynomials in Fq[x]/x'' for a random code of this 
family, the probability that it is a p-th power mod x'' is 



only about {q''P/q'y- 



-mr{p-l)-/p 



corresponding to the 



vanishing of all but a fraction l/p of the r coefficients of each 
of the p - I polynomials needed to build matrix A. 

Therefore there is scant chance that this would work in 
practice, except possibly for some highly contrived code whose 
syndromes lead to suitable radicands with high probability. It 
is an open problem whether such codes exist and, if so, what 
they might look like. 



The error positions are revealed by the inverses of the com- 
ponents of L, which are the roots of this polynomial. This 
definition coincides with the usual alternant error locator 
polynomial when = 2, in which case D - L (hence, a 
permuted and/or punctured subcode of a binary BCH code). 

Taking the derivative of the formal power series underlying 
cr^ in Equation [To] we get 



cr'^ix) 



Yld-xL^r^^ 



-(i/0)o'0(x; 



which over Fo[x] reduces to 



bo-'^{x) = o-^{x)se{x) mod x'' . 



(11) 



This is the <^-th key equation for this family of codes. 

Now most of the techniques developed above for Goppa 
codes can be applied to solve Equation[TT] The main difference 



